| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Sep 2015 12:45:45 +0200
From: Matteo Croce <matteo@...nwrt.org>
To: Daniel Borkmann <daniel@...earbox.net>
Cc: David Miller <davem@...emloft.net>, netdev@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v4] add stealth mode
2015-09-16 12:26 GMT+02:00 Daniel Borkmann <daniel@...earbox.net>:
> On 09/16/2015 11:54 AM, Matteo Croce wrote:
>>
>> Add option to disable any reply not related to a listening socket,
>> like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
>> Also disables ICMP replies to echo request and timestamp.
>> The stealth mode can be enabled selectively for a single interface.
>>
>> Signed-off-by: Matteo Croce <matteo@...nwrt.org>
>> ---
>> rebased on 4.3-rc1
>>
>> Documentation/networking/ip-sysctl.txt | 14 ++++++++++++++
>> include/linux/inetdevice.h | 1 +
>> include/linux/ipv6.h | 1 +
>> include/uapi/linux/ip.h | 1 +
>> net/ipv4/devinet.c | 1 +
>> net/ipv4/icmp.c | 6 ++++++
>> net/ipv4/ip_input.c | 5 +++--
>> net/ipv4/tcp_ipv4.c | 3 ++-
>> net/ipv4/udp.c | 4 +++-
>> net/ipv6/addrconf.c | 7 +++++++
>> net/ipv6/icmp.c | 3 ++-
>> net/ipv6/ip6_input.c | 5 +++--
>> net/ipv6/tcp_ipv6.c | 2 +-
>> net/ipv6/udp.c | 3 ++-
>> 14 files changed, 47 insertions(+), 9 deletions(-)
>>
>> diff --git a/Documentation/networking/ip-sysctl.txt
>> b/Documentation/networking/ip-sysctl.txt
>> index ebe94f2..1d46adc 100644
>> --- a/Documentation/networking/ip-sysctl.txt
>> +++ b/Documentation/networking/ip-sysctl.txt
>> @@ -1206,6 +1206,13 @@ igmp_link_local_mcast_reports - BOOLEAN
>> 224.0.0.X range.
>> Default TRUE
>>
>> +stealth - BOOLEAN
>> + Disable any reply not related to a listening socket,
>> + like RST/ACK for TCP and ICMP Port-Unreachable for UDP.
>> + Also disables ICMP replies to echo requests and timestamp
>> + and ICMP errors for unknown protocols.
>> + Default value is 0.
>> +
>
>
> Hmm, what about all other protocols besides TCP/UDP such as SCTP, DCCP,
> etc? It seems it gives false expectations in such cases when the user
> enables being "stealth", but finds out it has no effect at all there ...
> nmap f.e. has a couple of scanning options for SCTP, and at least SCTP
> is still relevant in telco space.
>
> I know this question has been asked before, but the only answer on this
> was so far: "well, I've never played with SCTP before" ... :/
Right, I was thinking to add them in a later version
--
Matteo Croce
OpenWrt Developer
_______ ________ __
| |.-----.-----.-----.| | | |.----.| |_
| - || _ | -__| || | | || _|| _|
|_______|| __|_____|__|__||________||__| |____|
|__| W I R E L E S S F R E E D O M
-----------------------------------------------------
CHAOS CALMER
-----------------------------------------------------
* 1 1/2 oz Gin Shake with a glassful
* 1/4 oz Triple Sec of broken ice and pour
* 3/4 oz Lime Juice unstrained into a goblet.
* 1 1/2 oz Orange Juice
* 1 tsp. Grenadine Syrup
-----------------------------------------------------
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists